[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1392593053-7900-1-git-send-email-dbanerje@akamai.com>
Date: Sun, 16 Feb 2014 18:24:13 -0500
From: Debabrata Banerjee <dbanerje@...mai.com>
To: linux-kernel@...r.kernel.org, Jeff Mahoney <jeffm@...e.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Kay Sievers <kay.sievers@...y.org>,
Greg Kroah-Hartman <^Cegkh@...uxfoundation.org>
Cc: dbavatar@...il.com, johunt@...mai.com,
Debabrata Banerjee <dbanerje@...mai.com>,
stable@...r.kernel.org
Subject: [PATCH v2] printk: Fix discarding of records
Found another buffer overflow in this code that was introduced by
e3756477aec028427fec767957c0d4b6cfb87208 trying to solve a related overflow.
strace still shows a problem:
syslog(0x3, 0x7fffd65375d0, 0x1000) = 4107
The first record output was in the middle of a LOG_CONT line:
<4>[ 2.974999] 0x0000000000000500-0x000000000000052f SystemIO conflicts with Region \GPIO 1 (20130328/utaddress-251)
This happens because when discarding records to be less than size, the first
line may expand due to there being no previous record. So we must use prev = 0
to calculate if it fits or we should continue discarding.
CC: stable@...r.kernel.org
Signed-off-by: Debabrata Banerjee <dbanerje@...mai.com>
---
kernel/printk/printk.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index b1d255f..bc67990 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1063,13 +1063,17 @@ static int syslog_print_all(char __user *buf, int size, bool clear)
seq = clear_seq;
idx = clear_idx;
prev = 0;
- while (len > size && seq < log_next_seq) {
+ while (seq < log_next_seq) {
struct printk_log *msg = log_from_idx(idx);
- len -= msg_print_text(msg, prev, true, NULL, 0);
- prev = msg->flags;
idx = log_next(idx);
seq++;
+
+ if (len - msg_print_text(msg, 0, true, NULL, 0) <= size)
+ break;
+
+ len -= msg_print_text(msg, prev, true, NULL, 0);
+ prev = msg->flags;
}
/* last message fitting into this dump */
@@ -2774,12 +2778,16 @@ bool kmsg_dump_get_buffer(struct kmsg_dumper *dumper, bool syslog,
seq = dumper->cur_seq;
idx = dumper->cur_idx;
prev = 0;
- while (l > size && seq < dumper->next_seq) {
+ while (seq < dumper->next_seq) {
struct printk_log *msg = log_from_idx(idx);
- l -= msg_print_text(msg, prev, true, NULL, 0);
idx = log_next(idx);
seq++;
+
+ if ( l - msg_print_text(msg, 0, true, NULL, 0) <= size)
+ break;
+
+ l -= msg_print_text(msg, prev, true, NULL, 0);
prev = msg->flags;
}
--
1.8.3.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists